Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for generating dynamic rules for a firewall policy, the method comprising: applying, by a computing device, a plurality of drop rules to a plurality of packets received at a network interface, wherein the plurality of drop rules are sequentially arranged and determine at least one of allowance and dropping of a packet of the plurality of packets based on a tracking information; generating, by the computing device, a unique drop rule for dropping a set of packets from the plurality of packets based on an implicit deny rule, wherein the implicit deny rule determines a drop for each of the plurality of packets; and determining, by the computing device, a sequence for the unique drop rule in the plurality of drop rules based on dropping of the set of packets.
This invention relates to dynamic firewall policy management in network security. The problem addressed is the static nature of traditional firewall rules, which often leads to inefficient packet filtering and security gaps. The solution involves a method for dynamically generating and sequencing firewall rules to improve packet filtering efficiency and security. The method operates by applying a sequence of drop rules to incoming network packets. These drop rules are evaluated in order to determine whether a packet is allowed or dropped based on tracking information. If a packet is not explicitly allowed by any of the drop rules, it is subject to an implicit deny rule, which defaults to dropping the packet. The system then generates a unique drop rule specifically for packets that would otherwise be dropped by the implicit deny rule. This unique rule is dynamically inserted into the sequence of existing drop rules at an optimal position to ensure efficient filtering. The sequence is determined based on the behavior of the dropped packets, optimizing the firewall's performance by reducing unnecessary rule evaluations. This approach enhances security by ensuring all unallowed traffic is explicitly blocked while improving efficiency by minimizing redundant rule checks.
2. The method of claim 1 , wherein the network interface is an ingress interface at a communication network.
A system and method for managing network traffic at an ingress interface of a communication network. The ingress interface receives data packets from external sources and processes them before forwarding to the network. The method involves analyzing incoming data packets to detect and mitigate potential security threats, such as malicious traffic or unauthorized access attempts. This includes inspecting packet headers and payloads for anomalies, applying predefined security policies, and filtering or blocking suspicious packets. The system may also prioritize legitimate traffic based on quality of service (QoS) parameters to ensure efficient network performance. Additionally, the method may involve logging and reporting security events for further analysis. The ingress interface acts as a gateway, enforcing security measures and optimizing traffic flow to protect the internal network from external threats while maintaining reliable communication. The system may integrate with other network security tools, such as firewalls or intrusion detection systems, to enhance overall network defense. The method ensures that only authorized and safe traffic enters the network, reducing the risk of cyberattacks and improving network efficiency.
3. The method of claim 1 , wherein the tracking information includes source or destination IP addresses of the plurality of packets.
A system and method for network traffic analysis and monitoring involves tracking information associated with data packets transmitted over a network. The method captures and processes network traffic to extract tracking information, which includes source and destination IP addresses of the packets. This tracking information is used to analyze network behavior, identify anomalies, or enforce security policies. The system may also correlate the tracking information with additional metadata, such as timestamps, packet sizes, or protocol types, to provide a comprehensive view of network activity. By monitoring source and destination IP addresses, the system can detect unauthorized access attempts, track data flows, or optimize network performance. The method may be implemented in hardware, software, or a combination thereof, and can operate at various network layers to ensure accurate and efficient tracking. The system may also generate alerts or reports based on the analyzed data to assist network administrators in maintaining security and performance.
4. The method of claim 1 , wherein the tracking information includes source or destination port of the plurality of packets.
This invention relates to network traffic monitoring and analysis, specifically improving the tracking of data packets within a network. The problem addressed is the need for more detailed and accurate tracking of network traffic to enhance security, performance monitoring, and troubleshooting. Traditional methods often lack granularity in identifying the source or destination of network communications, leading to inefficiencies in detecting anomalies or optimizing traffic flow. The invention provides a method for tracking network packets by including source or destination port information in the tracking data. This allows for precise identification of the endpoints involved in network communications, enabling better analysis of traffic patterns, security threats, and application performance. The method involves capturing packets from a network, extracting metadata such as source and destination IP addresses, and additionally recording the source or destination port numbers associated with those packets. This enhanced tracking data can then be used to correlate traffic flows, detect unauthorized access attempts, or optimize network routing based on application-specific requirements. By incorporating port information, the method improves the accuracy of traffic analysis and enables more effective network management. The solution is applicable in various network environments, including enterprise networks, data centers, and cloud infrastructures, where detailed traffic monitoring is essential for security and operational efficiency.
5. The method of claim 1 , wherein the implicit deny rule comprises dropping of the plurality of packets based on implicitly denied tracking information.
A system and method for network security involves processing network traffic by analyzing packets to determine whether they should be allowed or blocked. The method includes receiving a plurality of packets from a network, extracting tracking information from each packet, and comparing the tracking information against a set of predefined rules. If the tracking information matches an explicit allow rule, the packets are permitted to pass through the network. If the tracking information does not match any explicit rules, an implicit deny rule is applied, which involves dropping the packets based on the implicitly denied tracking information. The implicit deny rule ensures that only packets meeting specific criteria are allowed, enhancing network security by defaulting to blocking unknown or unauthorized traffic. The system may also include a tracking information database that stores allow and deny rules, which can be dynamically updated to adapt to changing network conditions or security threats. This approach provides a robust mechanism for filtering network traffic, preventing unauthorized access, and maintaining secure communication channels.
6. The method of claim 1 , wherein the plurality of drop rules are sequentially arranged based on a priority position of each drop rule from the plurality of drop rules.
A system and method for managing network traffic involves processing data packets using a set of drop rules to determine whether to discard or forward packets. The drop rules are sequentially arranged based on priority, where each rule has a designated position that dictates the order in which they are evaluated. Higher-priority rules are checked first, and if a packet matches a rule, the corresponding action (e.g., dropping or forwarding) is executed. This prioritization ensures that critical traffic policies are enforced before less important ones. The method may also include dynamically adjusting the priority of rules based on network conditions or administrative policies. The system may be implemented in a network device such as a router, switch, or firewall, where the drop rules are stored in a configurable rule set. The sequential evaluation ensures efficient processing while maintaining flexibility in traffic management. This approach is particularly useful in high-traffic environments where real-time decision-making is required to optimize network performance and security.
7. The method of claim 1 , wherein determining the sequence for the unique drop rule comprises: analyzing the set of packets in response to the dropping; determining a hit count of the set of packets; and positioning the unique drop rule based on a higher hit count value amongst the plurality of drop rules.
This invention relates to network traffic management, specifically optimizing packet filtering and dropping rules in a network device. The problem addressed is inefficient packet processing due to suboptimal ordering of drop rules, leading to unnecessary computational overhead and degraded performance. The method involves dynamically adjusting the sequence of drop rules in a network device to prioritize rules that are most frequently triggered. When packets are dropped, the system analyzes the affected packet set to determine a hit count, representing how often each drop rule is applied. The system then reorders the drop rules, placing rules with higher hit counts earlier in the sequence. This ensures that frequently triggered rules are evaluated first, reducing the number of unnecessary rule evaluations and improving processing efficiency. The method may also involve tracking packet characteristics, such as source/destination addresses or protocol types, to refine rule positioning. By continuously monitoring and adjusting rule order based on real-time traffic patterns, the system maintains optimal performance without manual intervention. This approach is particularly useful in high-traffic environments where static rule ordering would lead to inefficiencies.
8. The method of claim 1 further comprises: determining a buffer value to hold the set of packets based on positioning of the unique drop rule; configuring a timeout period for installation of the unique drop rule amongst the plurality of drop rules; and deploying the unique drop rule based on the buffer value and the timeout period.
This invention relates to network packet processing, specifically managing packet drops in a network device. The problem addressed is efficiently handling packet drops while minimizing resource usage and ensuring timely rule deployment. The method involves dynamically determining a buffer value to temporarily hold packets based on the position of a unique drop rule within a set of drop rules. This buffer prevents packet loss during rule installation. Additionally, a timeout period is configured to control how long the unique drop rule remains active among other drop rules, ensuring optimal resource utilization. The unique drop rule is then deployed using the buffer value and timeout period, balancing packet handling efficiency and system performance. The method ensures that packets are processed without unnecessary delays or drops, improving network reliability. The invention is particularly useful in high-traffic environments where rapid rule deployment and minimal packet loss are critical.
9. A system for generating dynamic rules for a firewall policy, the system comprising: a network interface; a processor coupled to the network interface; a memory communicatively coupled to the processor and having processor instructions stored thereon, causing the processor, on execution to: apply a plurality of drop rules to a plurality of packets received at a network interface, wherein the plurality of drop rules are sequentially arranged and determine at least one of allowance and dropping of a packet of the plurality of packets based on a tracking information; generate a unique drop rule for dropping a set of packets from the plurality of packets based on an implicit deny rule, wherein the implicit deny rule determines an drop for each of the plurality of packets; and determine a sequence for the unique drop rule in the plurality of drop rules based on dropping of the set of packets.
This system dynamically generates and sequences firewall rules to improve network security. The problem addressed is the inefficiency of static firewall policies, which struggle to adapt to evolving threats and traffic patterns. The system includes a network interface, a processor, and memory storing instructions for processing packets. It applies a sequence of drop rules to incoming packets, where each rule determines whether a packet is allowed or dropped based on tracking information. If a packet is not explicitly allowed by any rule, an implicit deny rule drops it. The system then generates a unique drop rule for packets that would otherwise be dropped by the implicit deny rule, optimizing the rule set. It determines the optimal position of this new rule within the existing sequence to ensure efficient packet filtering. This dynamic approach reduces unnecessary processing and enhances security by automatically adapting to traffic patterns and threats. The system improves upon traditional firewalls by automating rule generation and sequencing, minimizing manual intervention and improving performance.
10. The system of claim 9 , wherein the network interface is an ingress interface at a communication network.
A system for managing network traffic at an ingress interface of a communication network. The system includes a network interface configured to receive incoming data packets from external sources. A processing module analyzes the data packets to determine their characteristics, such as source, destination, type, and priority. A filtering module applies predefined rules to the data packets based on their characteristics, allowing or blocking them according to network policies. A monitoring module tracks the traffic flow, detecting anomalies or policy violations. The system dynamically adjusts filtering rules in response to real-time traffic conditions or security threats. The processing module may also prioritize certain packets for faster transmission, ensuring critical data is handled efficiently. The system enhances network security by preventing unauthorized access and optimizes performance by managing bandwidth usage. It is particularly useful in high-traffic environments where real-time monitoring and adaptive filtering are essential. The system integrates with existing network infrastructure, providing scalable and flexible traffic management solutions.
11. The system of claim 9 , wherein the tracking information includes source or destination IP addresses of the plurality of packets.
A system for network traffic analysis monitors and processes data packets transmitted over a network. The system captures packets from network traffic and extracts tracking information, including source and destination IP addresses, to analyze communication patterns. This tracking information is used to identify network connections, detect anomalies, and improve network security. The system may also correlate the tracking information with additional metadata, such as timestamps or packet payload data, to enhance analysis. By tracking IP addresses, the system can map network flows, detect unauthorized access attempts, and optimize traffic routing. The system may be deployed in various network environments, including enterprise networks, data centers, or cloud infrastructures, to provide real-time or historical traffic insights. The inclusion of IP addresses in tracking information enables precise identification of communication endpoints, aiding in threat detection and network troubleshooting. The system may further integrate with security tools or network management platforms to automate responses to detected issues.
12. The system of claim 9 , wherein the tracking information includes source or destination port of the plurality of packets.
A system for network traffic analysis and monitoring captures and processes network packets to extract tracking information, including source and destination port numbers, for identifying and managing network communications. The system analyzes packet data to determine the origin and destination of network traffic, enabling detection of anomalies, unauthorized access, or performance issues. By tracking port information, the system can classify traffic types, enforce security policies, and optimize network performance. The system may also correlate port data with other packet attributes, such as IP addresses or protocols, to provide comprehensive traffic insights. This approach enhances network visibility, improves security, and supports efficient traffic management in both wired and wireless networks. The system can be deployed in routers, firewalls, or dedicated monitoring devices to monitor real-time or historical traffic patterns.
13. The system of claim 9 , wherein the implicit deny rule comprises dropping of the plurality of packets based on implicitly denied tracking information.
A system for network security enforces an implicit deny rule by dropping packets that lack explicit permission. The system tracks network traffic using tracking information, which includes metadata such as source and destination addresses, protocols, and port numbers. When a packet does not match any predefined allow rules, the system applies the implicit deny rule, automatically discarding the packet without further processing. This approach ensures that only authorized traffic is permitted, enhancing security by default. The system may also include a rule engine that evaluates packets against a set of allow rules before applying the implicit deny rule. If no matching allow rule is found, the packet is dropped based on the implicit deny tracking information, which may include dynamic or static criteria. The system may operate in a network firewall, intrusion detection system, or similar security appliance, providing a robust mechanism for filtering unauthorized traffic. This method improves network security by minimizing exposure to malicious or unauthorized packets.
14. The system of claim 9 , wherein the plurality of drop rules are sequentially arranged based on a priority position of each drop rule from the plurality of drop rules.
A system for managing network traffic prioritization includes a plurality of drop rules that are sequentially arranged based on a priority position of each drop rule. These drop rules determine whether to drop or forward network packets based on predefined criteria, such as packet type, source, or destination. The sequential arrangement ensures that higher-priority rules are evaluated before lower-priority ones, allowing for efficient traffic management. The system may also include a rule evaluation module that processes incoming packets against the drop rules in order, applying the first matching rule to decide packet handling. This prioritization helps optimize network performance by ensuring critical traffic is processed first while less important packets are dropped if necessary. The system may be integrated into network devices like routers or switches to dynamically adjust traffic flow based on real-time conditions. The priority-based arrangement allows for flexible configuration, enabling network administrators to customize traffic handling policies according to specific requirements. This approach improves efficiency by reducing unnecessary processing of low-priority packets and ensuring high-priority traffic receives preferential treatment.
15. The system of claim 9 , wherein to determining the sequence for the unique drop rule, the processor instruction are further configured to: analyze the set of packets in response to the dropping; determine a hit count of the set of packets; and position the unique drop rule based on a higher hit count value amongst the plurality of drop rules.
A system for optimizing network traffic management analyzes packet flow to dynamically adjust drop rules for congestion control. The system monitors network traffic and applies drop rules to selectively discard packets when congestion occurs. To improve efficiency, the system evaluates the impact of each drop rule by analyzing the set of packets affected by the dropping action. It calculates a hit count, representing the number of packets matched by each rule, and prioritizes rules with higher hit counts. The system then positions the most effective drop rule (the one with the highest hit count) in a sequence to maximize its impact on reducing congestion. This adaptive approach ensures that the most frequently triggered drop rule is prioritized, enhancing network performance by minimizing unnecessary packet loss and improving traffic flow. The system dynamically adjusts rule positioning based on real-time traffic analysis, allowing for continuous optimization of network congestion management.
16. The system of claim 9 , wherein the processor instructions further cause the processor to: determine a buffer value to hold the set of packets based on positioning of the unique drop rule; configure a timeout period for installation of the unique drop rule amongst the plurality of drop rules; and deploy the unique drop rule based on the buffer value and the timeout period.
This invention relates to network traffic management, specifically a system for dynamically handling packet drops in a network device. The system addresses the challenge of efficiently managing packet drops in high-traffic environments where static drop rules may lead to inefficiencies or security vulnerabilities. The system includes a processor that executes instructions to determine a buffer value for holding a set of packets based on the positioning of a unique drop rule within a plurality of drop rules. The buffer value is calculated to optimize storage and processing resources while ensuring compliance with the drop rule's requirements. Additionally, the processor configures a timeout period for installing the unique drop rule among the existing drop rules, ensuring that the rule is applied within a specified timeframe to prevent network congestion or security breaches. The unique drop rule is then deployed based on the calculated buffer value and the configured timeout period, allowing for adaptive and efficient packet handling. The system may also include a network interface for receiving and transmitting packets, a memory for storing the drop rules, and a packet buffer for temporarily holding packets pending drop rule evaluation. The processor further monitors network traffic and adjusts the buffer value and timeout period dynamically to adapt to changing network conditions. This ensures that the system remains responsive and efficient under varying loads. The invention improves network performance by reducing unnecessary packet drops and enhancing security by dynamically enforcing drop rules.
17. A non-transitory computer-readable storage medium comprising a set of computer executable instructions causing a system for generating dynamic rules for a firewall policy that includes one or more processors to perform steps including: applying a plurality of drop rules to a plurality of packets received at a network interface, wherein the plurality of drop rules are sequentially arranged and determine at least one of allowance and dropping of a packet of the plurality of packets based on a tracking information; generating unique drop rule for dropping a set of packets from the plurality of packets based on an implicit deny rule, wherein the implicit deny rule determines a drop for each of the plurality of packets; and determining a sequence for the unique drop rule in the plurality of drop rules based on dropping of the set of packets.
This invention relates to network security, specifically dynamic rule generation for firewall policies. The problem addressed is the inefficiency of static firewall rules in handling evolving network traffic patterns, leading to performance bottlenecks and security gaps. The solution involves a system that dynamically generates and sequences firewall rules to optimize packet filtering. The system processes incoming network packets using a predefined set of drop rules arranged in a sequence. Each rule evaluates packets based on tracking information, such as source/destination addresses or port numbers, to decide whether to allow or drop them. If a packet is not matched by any rule, an implicit deny rule automatically drops it. The system then analyzes dropped packets to identify patterns and generates a unique drop rule targeting those packets. This new rule is inserted into the existing sequence at an optimal position to improve filtering efficiency. The dynamic adjustment ensures that the firewall adapts to changing traffic conditions without manual intervention, reducing administrative overhead and enhancing security. The approach minimizes unnecessary packet inspections while maintaining strict access control.
Unknown
June 16, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.